If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

OpenSSH

To those who use SuSE and OpenBSD there is a undisclosed vulnerability, all SuSE distro's use OpenSSH as a deafult during install and users are urged to get the lates version, 3.3 rpm from ftp.suse.com and enable the useprivilegeseparation
OpenBSD will release OpenSSH 3.4 on monday wich will fix the vulnerability.

Re: OpenSSH

Originally posted here by Leviatan To those who use SuSE and OpenBSD there is a undisclosed vulnerability, all SuSE distro's use OpenSSH as a deafult during install and users are urged to get the lates version, 3.3 rpm from ftp.suse.com and enable the useprivilegeseparation
OpenBSD will release OpenSSH 3.4 on monday wich will fix the vulnerability.

And here is the actual advisory e-mail to bugtrack from Theo de Raadt (I couldn't find the mail on the web for some reason...):

There is an upcoming OpenSSH vulnerability that we're working on with
ISS. Details will be published early next week.

However, I can say that when OpenSSH's sshd(8) is running with priv
seperation, the bug cannot be exploited.

OpenSSH 3.3p was released a few days ago, with various improvements
but in particular, it significantly improves the Linux and Solaris
support for priv sep. However, it is not yet perfect. Compression is
disabled on some systems, and the many varieties of PAM are causing
major headaches.

However, everyone should update to OpenSSH 3.3 immediately, and enable
priv seperation in their ssh daemons, by setting this in your
/etc/ssh/sshd_config file:

UsePrivilegeSeparation yes

Depending on what your system is, privsep may break some ssh
functionality. However, with privsep turned on, you are immune from
at least one remote hole. Understand?

3.3 does not contain a fix for this upcoming bug.

If priv seperation does not work on your operating system, you need to
work with your vendor so that we get patches to make it work on your
system. Our developers are swamped enough without trying to support
the myriad of PAM and other issues which exist in various systems.
You must call on your vendors to help us.

Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
lot of that runs as root. But when UsePrivilegeSeparation is enabled,
the daemon splits into two parts. A part containing about 2500 lines
of code remains as root, and the rest of the code is shoved into a
chroot-jail without any privs. This makes the daemon less vulnerable
to attack.

We've been trying to warn vendors about 3.3 and the need for privsep,
but they really have not heeded our call for assistance. They have
basically ignored us. Some, like Alan Cox, even went further stating
that privsep was not being worked on because "Nobody provided any info
which proves the problem, and many people dont trust you theo" and
suggested I "might be feeding everyone a trojan" (I think I'll publish
that letter -- it is just so funny). HP's representative was
downright rude, but that is OK because Compaq is retiring him. Except
for Solar Designer, I think none of them has helped the OpenSSH
portable developers make privsep work better on their systems.
Apparently Solar Designer is the only person who understands the need
for this stuff.

So, if vendors would JUMP and get it working better, and send us
patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
which supports these systems better. So send patches by Thursday
night please. Then on Tuesday or Wednesday the complete bug report
with patches (and exploits soon after I am sure) will hit BUGTRAQ.

Let me repeat: even if the bug exists in a privsep'd sshd, it is not
exploitable. Clearly we cannot yet publish what the bug is, or
provide anyone with the real patch, but we can try to get maximum
deployement of privsep, and therefore make it hurt less when the
problem is published.

So please push your vendor to get us maximally working privsep patches
as soon as possible!

We've given most vendors since Friday last week until Thursday to get
privsep working well for you so that when the announcement comes out
next week their customers are immunized. That is nearly a full week
(but they have already wasted a weekend and a Monday). Really I think
this is the best we can hope to do (this thing will eventually leak,
at which point the details will be published).

Customers can judge their vendors by how they respond to this issue.

OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
On OpenBSD privsep works flawlessly, and I have reports that is also
true on NetBSD. All other systems appear to have minor or major
weaknesses when this code is running.

(securityfocus postmaster; please post this through immediately, since
i have bcc'd over 30 other places..)

True ammo, but what I whas stressing on is that SuSE installs OpenSSH by default.
I have the mail from Theo de Raad somewhere, if you want it I'll dig through the mails I get from the mailinglist.www.deadly.org also has a lot of info.

Chill out Unleashed, I don't check out sites like www.openssh.org on a daily basis so I rely on the mailinglists to keep me alert so I didn't come up with a url in my first post. Draziw is just reminding you to think logical for yourself, www.google.com next time.

Originally posted here by Unleashed draziw > as Leviatan said www.deadly.org , well ...stupid me.. ofcourse not

Ummm... unleashed? OpenSSH.ORG is the home for OpenSSH (<edit>Ammo also nicely came back with the actual BugTraq post and similiar, which is often the first place people normally hear about stuff like this... thanks Ammo!</edit>). Leviatan came back and later said it was posted to a mailing list he is on... it's not like you posted that information and made it obvious you knew what was going on... in fact, what I believe you said was: